Why it matters: Encrypted chat services such as Signal, Telegram, and WhatsApp advertise themselves as the most secure, private digital communication methods. However, no matter how strong an app's end-to-end encryption is, hackers and authorities have discovered that the weakest attack vector isn't the software or messaging protocol, but the operating system it's installed on.
Supporters of the defendants at a recent Texas trial informed 404 Media that the FBI extracted incoming Signal chat messages from a defendant's phone even though the defendant deleted the app and messages. The agents instead recovered message content that the iPhone had stored in a separate database containing push notifications.
The case involves eight people who were convicted on terrorism charges after a police officer was wounded by gunfire outside an ICE detention facility. The witness whose phone contained the Signal messages, Lynette Sharp, previously pleaded guilty to providing material support to terrorists.
Signal prides itself on being open-source, secure, and private. Messages are only stored on the phone by default, and the service only recently introduced an opt-in backup feature. If the app or messages are deleted or the phone is lost, the messages should be unrecoverable. In fact, during the trial, an FBI special agent testified that Sharp set her messages to expire and that they had indeed expired in the app.
However, Apple devices copy and store content from push notifications, even when that content disappears from the original app. Apple's operating systems only save the content that appears in the notifications, so the FBI could recover only incoming messages, not outgoing messages.
Signal actually has settings to guard against this. Users can control what information appears in push notifications, such as message content, usernames, and actions. Sharp evidently declined to restrict notifications from Signal, likely to retain the convenience of reading messages without unlocking her phone. The incident highlights how tight security measures can clash with user comfort.
The revelation carries implications for all messaging apps, not just Signal. Not all apps have settings to control what appears in push notifications, so users should remember that any message they send might be preserved in the recipient's notification database, which forensic software can access.
Furthermore, Apple has previously submitted notification data to authorities. The company doesn't fulfill all government requests, but reports indicate that the US, UK, and German governments have received data through thousands of push-notification requests. The US Cybersecurity and Infrastructure Security Agency also warns users that hackers often attempt to access content from Signal or other messaging apps by taking over the host phone and reading messages after they have been sent and decrypted.